[EN] Useful Tools

tags: Writeup Web English

curious

Train Of Thought & Solution

Challenge 1

If you use burpsuite to intercept HTTP requests sent from the browser, in addition to receiving normal request, you will also receive a request to /burp5u17e_ch4ll3nge

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More β†’

We can put this request into the Repeater to take a closer look

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More β†’

You can see that the response says "Let's start the challenge!", and you may also notice a Challenge header in the Requests that doesn't seem to be a typical header found in HTTP request. You can try changing the value of Challenge to 1 and see what happens

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More β†’

By doing so, you should obtain the first segment of the flag and the URL for the next challenge

The hint provided in the challenge can also give you some ideas on how to approach it

fetch("/???", {
  headers: {???: "???"}
});
document.querySelector("body").innerHTML = "...";

fetch suggests that this JavaScript code will send an additional request to the server with a custom header, so you can use burpsuite to intercept the request
However, the challenge is designed in a way that discourages you from looking at the JavaScript code, which has been obfuscated

Challenge 2

If you access /cur1_ch4ll3nge directly through a browser, you will see the message 'Do you know how to use curl?'. Therefore, you can try using the command curl http://lotuxctf.com:20001/cur1_ch4ll3nge to access this webpage

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More β†’

The challenge asks how to view headers using curl, so you can add the -i option to see what happens

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More β†’

After reading the hint provided in the challenge, you may realize that we need to find out what request methods the server supports. Luckily, there is a request method called OPTIONS that can be used to ask the server what methods it supports. Therefore

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More β†’

You can see that there is a very strange method listed. You can try sending a request using that method and see what happens

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More β†’

By doing so, you should be able to successfully access the next challenge

Challenge 3

If you access /r3que57s_ch4ll3nge directly through a browser, you will see the message 'How to browse websites with Python?'. Therefore, you can use the Python requests library to access this webpage

import requests as req r = req.get('http://lotuxctf.com:20001/r3que57s_ch4ll3nge') print(r.headers) print(r.text)

You can see that the server has verified your identity so there should be a Set-Cookie header to set your cookie to indicate that you are logged in. The server also states that you need to use the POST method to obtain sensitive information. In order to maintain your login status, you can carry the cookie that represents your identity when using POST. Alternatively, you can use the requests.Session object to automatically handle this for you

import requests as req s = req.Session() s.get('http://lotuxctf.com:20001/r3que57s_ch4ll3nge') print(s.post('http://lotuxctf.com:20001/r3que57s_ch4ll3nge').text)

Putting the three flag segments together will give you the complete flag!

Compare the results of doing sha256 with burpsuite,_curl,_requests and the flag